I have a query regarding default ACLs. The below is an exercise to show my query

#Created 2 users navin & ramanuja .
#Ramanuja belongs to account group

[root@localhost ~]#groups navin
navin : navin sales

[root@localhost ~]# groups ramanuja
ramanuja : ramanuja account

[root@localhost ~]# mkdir -p /data/sales
[root@localhost ~]# chown root:sales /data/sales
[root@localhost ~]# chmod 770 /data/sales
[root@localhost ~]# chown g+s /data/sales (Setting GID)
[root@localhost data]# ls -l
drwxrws---. 2 root sales 4096 Jan 12 21:48 sales

[root@localhost /]# ls -l | grep data
drwxr-xr-x. 4 root root 4096 Jan 12 21:48 data

Setting ACL for /data/sales directory
[root@localhost data]# setfacl -m g:account:rx /data/sales/
[root@localhost data]# getfacl /data/sales/
getfacl: Removing leading '/' from absolute path names
# file: data/sales/
# owner: root
# group: sales
# flags: -s-
user::rwx
group::rwx
group:account:r-x
mask::rwx
other::---

Setting Default ACL

[root@localhost data]# setfacl -m d:g:account:rwx /data/sales/
[root@localhost data]# getfacl /data/sales/
getfacl: Removing leading '/' from absolute path names
# file: data/sales/
# owner: root
# group: sales
# flags: -s-
user::rwx
group::rwx
group:account:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:account:rwx
default:mask::rwx
defaultther::---


The user ramanuja(member of account group) cannot create/delete any file inside /data/sales directory. But he is able to modify the contents of any file (r1.txt) created by root inside /data/sales directory.

Surprisingly the user ramanuja can create a file rama1.txt inside a directory /data/sales/dir1. dir1 is created by root

[root@localhost sales]# ls -l
total 8
drwxrws---+ 2 root sales 4096 Jan 12 22:01 dir1

[root@localhost sales]# ls -l dir1/
total 16
-rw-rw----+ 1 root sales 7 Jan 12 22:04 r1.txt
-rw-rw----+ 1 ramanuja sales 9 Jan 12 22:03 rama1.txt

[ramanuja@localhost sales]$ mkdir dir2
mkdir: cannot create directory `dir2': Permission denied


QUERY:

getfacl is showing in its default ACL entry that account group can -rwx /data/sales. So why is the user ramanuja cannot create any file/dir inside /data/sales directory, but is able to create a file inside /data/sales/dir1/. And also he cannot a directory (dir2)inside /data/sales

I am using CentOS 6.4. File system is ext4


Thanks.
-navin

if you see the set of permissions on /data/sales and /data/sales/some_dir you would be able to compare these:

default:group::rwx
default:group:account:rwx

and so lies your answer.

My understanding of ACL's is minimal. would be helpful if more light is thrown upon it.
Agreed the permissions when comparing /data/sales & /data/sales/dir1 allows account group members to create entries inside /data/sales/dir1/ . The query is why is it so?

From the getfacl I see the permissions of /data/sales directory as:
1) The group owner of /data/sales directory is sales
2) account group members have read,write,execute permissions. write permission means he can create/delete the entries in /data/sales/ directory. i mean default ACL shows this.

Hence i assume a member of account group (eg. ramanuja) should be able to create new entries (files & directories) in the /data/sales/ directory. He is able to create files/directories only inside /data/sales/dir1/. dir1 is created by root.
Why is he needing the help of root user to create a directory /data/sales/dir1/ ?
If my understanding is correct, the account group member himself should have been able to create the dir1 directory after adding the default ACL rule. Yes, without the addition of default ACL rule, account group members have only rx permissions.

Thanks
- navin

it is because you defined it like that, i gave you two lines from what you [posted in my last comment.
Thats because the permissions are limited to that very dir and the dir's inside it are free from it as it is not defined to have them included.

So your assumption is a bit wrong here, a look gain on how acl work's would give a better view on it to you. The best would be try creating some more acl's and check how they behave under a single dir structure.

thanks sabhi.

understood default acl's are used to give permissions to be inherited from the parent for the newly created file system objects (files/directories) based on mask & acl settings on the parent directory..